access control measures for securing credit card information

Access Control Measures for Securing

Credit Card Information

How Credit Card works ?

http://www.ifour-consultancy.com Offshore development company India

http://www.ifour-consultancy.com/application-development.aspx


Types of Data on a Payment Card




Payment Card Industry Security Standards Council

- is a proprietary information security standard for organizations that handle cardholder information for the major debit, credit, prepaid, e-purse, ATM, and POS cards.

- the standard was created to increase controls around cardholder data to reduce credit card fraud via its exposure.




RequirementsControl Objectives PCI DSS Requirements

Build and Maintain a Secure Network

1. Install and maintain a firewall configuration to protect cardholder data

2. Do not use vendor-supplied defaults for system passwords and other security parameters

Protect Cardholder Data

3. Protect stored cardholder data4. Encrypt transmission of cardholder data across open, public networks

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software on all systems commonly affected by malware6. Develop and maintain secure systems and applications

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know8. Assign a unique ID to each person with computer access9. Restrict physical access to cardholder data

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data

11. Regularly test security systems and processes

Maintain an Information Security Policy12. Maintain a policy that addresses information security




Making Stored Data Unreadable• PCI DSS suggests four alternative methods for rendering PAN

information unreadable when it’s stored (Requirement 3.4)One-way hashesTruncationTokenizationEncryption

• The Standard also mandates the use of masking for displaying account data to anyone who doesn’t have a legitimate need to access the full PAN (Requirement 3.3).




One Way Hashes

• Hash algorithms are one-way functions that turn a message into a fingerprint, usually not much more than a dozen bytes long. Truncation will discard part of the input field. These approaches can be used to reduce the cost of securing data fields in situations where you do not need the data to do business and you never need the original data back again




Tokenization

• Tokenization is the act of replacing the original data field with reference or pointer to the actual data field. This enables you to store a reference pointer anywhere within your network or database systems. This approach can be used to reduce the cost of securing data fields along with proper network segmentation in situations where you do not need the data to do business, if you only need a reference to that data




Cryptography

• Encryption of sensitive data is one of the most effective means of preventing information disclosure and the resultant potential for fraud. Cryptographic technology is mature and well proven. There is simply no excuse for not encrypting sensitive data. The choice of encryption scheme and topology of the encryption solution is critical in deploying a secure, effective and reasonable control. The single largest failure in deploying encryption is attempting to create an ad-hoc cryptographic implementation.




Truncation

• Method of rendering the full PAN unreadable by permanently removing asegment of PAN data.

• Truncation however can be thought of as never writing the numbers down in the first place or erasing them so completely they’re never recoverable. You’re not recording the entire data on the sheet of paper and therefore it can never be used as to commit fraud against the credit card companies or consumers. That piece of paper has no value to the malicious attacker and therefore doesn’t need to be protected




Authorization factors for securing credit card information

• An authorization is an approval on a cardholder account for a sale amount. An authorization hold is a reduction of the cardholder's credit line for the amount of the sale. This hold can remain on the cardholder's account for up to 30 days, depending upon the issuing bank policy




Terminologies and steps in authorization

What is a credit card Authorization?Its an authorization for a specific amount of funds from a credit card holder. As a merchant when you process a transaction on behalf of your customer an initial credit card authorization is sent to check if the customer’s credit card is valid and that he or she has sufficient funds to complete the online transaction

What is a credit card Capture?The credit card Capture is the missing piece of the puzzle that allows a merchant to have the funds that are owed to him transferred from the customer’s account to the merchant’s account. As you can see the online transaction amount does not reach the merchant’s settlement account until the funds are captured. What is interesting is that a merchant specifies the total amount to capture from the customer’s account.

How long does a credit card Authorization last?A credit card Authorization has a specific time frame in which the merchant is able to issue a credit card Capture to retrieve their funds from the customer’s account. This time frame unfortunately is not set in stone and differs depending on the card scheme (VISA, MasterCard, American Express, JCB, Diners etc.) Generally speaking a credit card Authorization will become void after 10 days or so.




Authentication

• The function of verifying a user's identity — known as authentication — is important in establishing trust in critical business processes. In its simplest form, authentication is the act of verifying a person's claim on his or her identity and is usually implemented through a username and password combination when logging into an IT system or application.

Password Authentication

Hardware Authentication




Password authentication

• In general, password systems work by requiring the user to enter a user ID and password (or pass phrase or personal identification number). The system compares the password to a previously stored password for that user ID. If there is a match, the user is authenticated and granted access.

• Benefits of Passwords. Passwords have been successfully providing security for computer systems for a long time. They are integrated into many operating systems, and users and system administrators are familiar with them. When properly managed in a controlled environment, they can provide effective security.

• Problems With Passwords. The security of a password system is dependent upon keeping passwords secret. Unfortunately, there are many ways that the secret may be divulged. All of the problems discussed below can be significantly mitigated by improving password security, as discussed in the sidebar. However, there is no fix for the problem of electronic monitoring, except to use more advanced authentication (e.g., based on cryptographic techniques or tokens)




Upgradation in passwords is done by using following technologies

Cryptographic algorithms and keys

Digital certificate

Memory Tokens

Payment gateways




Hardware based authentication• Point Of sale(POS): Point of sale (also called POS or checkout) is the place

where a retail transaction is completed. It is the point at which a customer makes a payment to the merchant in exchange for goods or services. At the point of sale the retailer would calculate the amount owed by the customer and provide options for the customer to make payment. The merchant will also normally issue a receipt for the transaction

• The advent of cloud computing gave birth to the possibility of POS systems to be deployed as Software as a service, which can be accessed directly from the Internet, using any internet browser .Using the previous advances in the communication protocols for POS's control of hardware, cloud-based POS systems are independent from platform and operating system limitations. Cloud-based POS systems are also created to be compatible with a wide range of POS hardware and sometimes tablets such as Apple's IPad




Identity Management aspect in access controls for securing credit card information

• Access control applies to computer security, usually as in who can access what information. Through access control, the ability to permit or deny use of a resource is granted.

• This may include digital signatures, encryption, biometric scans, and physical devices.

• Identity management can include many things, including policies, technologies and the actual processes to control the access users have to the computing systems

• Through the use of such identity management and access control as passwords, account profiles, and access restrictions, the system is far safer than with no user authentication in place




Some examples of Identity Management Products for credit card

• PayShield Cardholder Authentication for nShield Strengthen authentication for payments and online banking

using general purpose HSMs(hardware security modules) Allows card issuers to reduce phishing fraud in online

banking and allows payment processors to reduce online payment fraud by deploying high assurance cardholder authentication on commercial, off-the-shelf nShield Solo or nShield Connect HSMs(hardware security modules)

It integrates easily and securely with online applications, Interactive Voice Recognition systems, and many off-the-shelf cardholder authentication solutions.




• SafeSign Authentication Server

SafeSign Authentication Server is software that centralizes management of strong authentication for all users, all applications, and all access channels, making it easier for organizations to implement a range of authentication requirements.




References:Symbiosis studentsKangkan BaruahShruti ManchandaShubhendu NagdeveYugank Bhagod




access control measures for securing credit card information

Technology

entire data

original data

types of data

credit card authorization

cardholder information

theactual data field

securing data fields

notencrypting sensitive